Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 2d575834fdb438cf36ebade22e476474
SHA1SUM : 543dc6fe7430cf008b1cde958fc1d705e4742fad

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00439d2a

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sun May 20 19:49:13 2007
Magic 010b (PE32)
MajorLinkerVersion 5
MinorLinkerVersion 12
SizeOfCode 00000000
SizeOfInitializedData 00000000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000039d2a
BaseOfCode 0000000000000000
BaseOfData 0000000000000000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0003a226
SizeOfHeaders 00000200
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000003a0c4 00000028 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .RLPack at 0x43a0c4

The Import Tables (interpreted .RLPack section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0003a0c4 00000000 00000000 00000000 0003a0ec 0003a0f9

DLL Name: kernel32.dll

0003a0d8 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .packed 00000000 00401000 00401000 00000000 2**2
ALLOC, LOAD, READONLY, CODE
1 .RLPack 0000c226 0042e000 0042e000 00000200 2**2
CONTENTS, ALLOC, LOAD, CODE

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 46508A19 Sun May 20 19:49:13 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 0003A226
Code Base: 00000000 Size: 00000000
Data Base: 00000000 Size: 00000000
Entry Point: 00039D2A (file offset 0000BF2A)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .packed RVA: 00001000 Offset: 00000000 Size: 00000000 Flags: 60000020 (CER)
2: .RLPack RVA: 0002E000 Offset: 00000200 Size: 0000C226 Flags: E0000020 (CERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: kernel32.dll
Addr: 0003A0F9 hint: 0(0000) Name: LoadLibraryA
Addr: 0003A0FD hint: 0(0000) Name: GetProcAddress
Addr: 0003A101 hint: 0(0000) Name: VirtualAlloc
Addr: 0003A105 hint: 0(0000) Name: VirtualFree
Addr: 0003A109 hint: 0(0000) Name: VirtualProtect

W\?&X
2OkH
`*yhG
F=t
5?Ool
l)p=m
h9e\
wI$F
d=-x
S%q?
t".p
<Sgw
aDYb
9^G.
2NSQ
$V.9
~U;#;
rT2
VI5\U
@ 4+
CD|a
\a 2
cK6B
nTEZ
ryoX
^DVN
Sc=p
P2_HK
@,C*6
evXL
[XCZ
!`2a_
FQ8n
[~J0nc
>&@
"e`*
us@F
Z\z9
~~.k
^g<B
u!6,M
g*`Y
w<,\
Ghow
NVg4l
'W%R
.NmD
_/$5Sh
S^mV5
s)b_
3I>%c
KEuU
O8l;|
\2)v1
CVKnB
lzvf
WpP^
MGr{p
IWD\
o{XI
#3=Q
0V|kt(
8:rT
OU:I
w)$4
>\]W
&"(,i
4bP<d"
i~LY`w<
M"|)
0p"
.Pfa
+$Hh;8(
@"U&
.">h
^v6{[
ygdK=\Q
pv 'n
:#!{
wg{
#48FX
`#&~
b{vA
5&$'
B#[K
8eHR
qy:-*
oDby
l`A*
g0G-q
96hl!
c*t7=
>O5_
DZwb
sX*dh
.&m
{E%s
%g{0
[_!<n
%WO6
2.>g
=|CF
`0Ef
^oUfq
K$3E
O8gw
ZN<a
(4f.
]N&ms O
7&w,
m]k3
fu8L
%x9^4
@ s
Ux[Z`
0"*z
MSR
2{hm+
-aXz
=EIe8
*7DC V
<w?=
<?L[
C#B~
).&F
e`]_
i!{T
07`C
O3$;h
Rov.
vneJ
B?vb
W8Qr
j3.v
(_E-'
kT!s
QG|`
2Wg5fu
zXx^
$@U(.
=)kO]s>Q
mv@x
wH52
"T-c
<MZn
V)=n
~Lqfa
#p=m
ywJt
.ET
G%zhT
Azq]H{
k[@\l
xQp h
,uZ5
X&}y|
w@U&
L~S<(=
[}Gu
#Mm,
y:JI
s.|-
j4T8Q
.I%r
HZ)y
39$s
dF`Afk
+AF
^IZ3
1:,N
[E s
.|;@
t5n
RC9l
g_6j
}8Jb
3M$k
v^xs/+Y
aDu !(
!{Gu`K
MP#O
8U>u
o"3C
L@n?
.(V;
tQcI
p|9C
w(1-
l<cw_
=.Pwm
(gv
K6Y.
uc}=
*+,
dP gz?
`oil
wz7|
3z,D~"
7e<&
#o;J
Z(uu
1qs?
cp9V3
\Uk?
> du
A5 =
B[Lf+y
is3f
FhI2@
G0ujd
ks`)
S)D_
a2Tt}
[?;|
Q5{^t
peq}:
bRi-
>~mx[
H,dc
~`&N
W'PJ
9Im#
yQ(i
OSC/
aB>q
z=|$
nh`%S
f <@_
9oFx
.Z8`
<8:g!z
^lp(5
o =)
Mwjr
<*7Y
$M"
jk`zV
C~x!
4Vabi
i^t#
vd;
*uht
<WE@
>f+8
]On
905N
(tB{
R4+>
=eg:
AL/6
yq{7
m_Fz
/T]Z
1m8+
wB!N
[l?x
$ype
;GT&
LItJ
a@4
Dv*{
kbH/
YK L
f/)?{
syWH
m_ws
"say
A6108
$>Yp\(^
a2tk
=?ARb
3")}
eZ<n
R"%O
=3E$"{L
^Xds
@AK6f
@q*Y
]5\D
y; ;
d6ZNL"
^ItH
TRQ;
S)PJ
$cLn
Wd3`
t8|k
4$c.
Zb]yu@
>`9E
rL <
.6;M\
-E[^9
z_ (;
&fK)
1xOC
M-i"
O$.Y
Z t:Vn
/7Hw
qP_}
b0nk
vSH*0
7T>I
P Lr
@Y:=
i;9*
n;#c
G>zB
y~_M
:/.p[
Dnf(
!]tO\
N+*5
5[f\
jz<,
%.b)c$1
q;l<y
D</R
$9ra
>!C6
C@$.+h
< tz
6u_]
zY C
Mb 0F
-aBWu
p[/Q;
Z`lcn
aT-4
4 !z
P:f4>i
l>_3
WS0R
a$_I
3 =s
9asc
J+E!
u}F)
Z@ tH
w,Ni
rL=w
H%\fh
P/uD
!@%Z)
\q4E
$9c?
&ZU*
zeX6
JjAq
&`@g"P
qCQ~
h vx
AL=}@
f%K~
This
ap]l
ith8
jGg,
Tfclab
d$vH
A"x#VT
"J+(
f=gv
SVW
s_03
6 (r
-v.1'5Lv}
R1hDH
m/ Q
I;<(
&]P/
1;Rqq
VXse*
G;n|Nl
(_[r
+}CM6
dGbp'
S"j$
}N6u
l~pz9
`,u*
"ZAO
0i "
Sj@h
Pj@QS
+|$(
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
VirtualProtect
L32.dl
rtua
A8opc?Ex}1Pr
at>ibv
Modul
( Fai
~g7Bo